Copyright 1999, 2002 by Ronald B. Standler
Table of Contents
1. Unauthorized use of computer
Denial of Service (DoS) Attacks
2. Malicious computer programs
Common, but Unacceptable, Justifications for Malicious Programs
3. Harassment & Stalking
4. Weak punishment in USA
5. Computer crime statutes in USA
6. Sue criminals in tort
There are no precise, reliable statistics on the amount
of computer crime and the economic loss to victims, partly because
many of these crimes are apparently not detected by victims,
many of these crimes are never reported to authorities, and partly
because the losses are often difficult to calculate.
Nevertheless, there is a consensus among both law enforcement personnel
and computer scientists who specialize in security that both
the number of computer crime incidents and the sophistication
of computer criminals is increasing rapidly.
Estimates are that computer crime costs victims in the USA
at least US$ 5×108/year, and the
true value of such crime might be substantially higher.
Experts in computer security, who are not attorneys,
speak of "information warfare". While such "information
warfare" is just another name for computer crime, the word
"warfare" does fairly denote the amount of damage inflicted on society.
I have posted a separate document,
Tips for Avoiding Computer Crime,
which includes suggestions for increasing the security and reliability
of personal computers, as well as
to websites on computer viruses, computer crime, and
anti-virus and firewall software.
Two comments on word usage in this essay:
- I normally write in a gender neutral way, but here I use the masculine
pronoun for computer criminals, because (1) female computer criminals
are rare and (2) I can't imagine a feminist attacking me because
I deny equal recognition to women criminals. <grin>
- To some professional computer programmers, the word "hacker" refers to
a skilled programmer and is neither pejorative nor does
it refer to criminal activity. However, to most users of English, the
word "hacker" refers to computer criminals, and that is the usage that
I have adopted in this essay.
I originally wrote this essay in May 1999.
I do not have the spare time that would be required
for a thorough search and analysis of reported cases and statutes on
computer crime, as well as newspaper accounts (most criminal
proceedings are resolved without generating any judicial decision
that is reported in legal databases or books),
so my revisions are mostly generalizations.
new crimes in cyberspace
There are three major classes of criminal activity with computers:
- unauthorized use of a computer, which might involve
stealing a username and password, or might involve accessing
the victim's computer via the Internet through a backdoor
operated by a Trojan Horse program.
- creating or releasing a malicious computer program
(e.g., computer virus, worm, Trojan Horse).
- harassment and stalking in cyberspace.
When lay people hear the words "computer crime", they often think of
obscene pictures available on the Internet,
or solicitation of children for sex by pedophiles via chat rooms
on the Internet.
The legal problem of obscenity on the Internet is mostly the same
as the legal problem of obscenity in books and magazines,
except for some technical issues of
personal jurisdiction on the Internet.
I have discussed obscenity on the Internet in my May 1997 essay on
law & technology
and I have nothing further to say about obscenity in this essay
on computer crime.
Similarly, many crimes involving computers are no different from
crimes without computers: the computer is only a tool
that a criminal uses to commit a crime. For example,
- Using a computer, a scanner, graphics software,
and a high-quality color laser or ink jet printer for
forgery or counterfeiting is the same crime as
using an old-fashioned printing press with ink.
- Stealing a laptop computer with proprietary information
stored on the hard disk inside the computer is the same crime
as stealing a briefcase that contains papers with proprietary
- Using the Internet or online services to solicit sex is similar
to other forms of solicitation of sex,
and so is not a new crime.
- Using computers can be another way to commit either larceny or fraud.
In contrast to merely using computer equipment as a tool to commit
old crimes, this essay is concerned with computer crimes that are
new ways to harm people.
There are many instances of messages sent in the name of someone
who neither wrote the content nor authorized the sending of the message.
These acts might be punishable by existing criminal statutes
that prohibit impersonation, forgery, deceit, or fraud.
However, a judge might decide that the specific language in old statutes
about writing or signature does not apply to e-mail. Rather than
write new statutes for forged e-mail addresses or unauthorized
sending of e-mail in someone else's name, I would prefer that legislatures
broaden the existing criminal statutes for analogous crimes with paper and ink.
- E-mails with bogus From: addresses were
sent automatically by malicious programs
(e.g., the Melissa virus in 1999, the BadTrans worm in 2001,
the Klez program in 2002).
- Posting messages in an Internet newsgroup
or online bulletin board with a false author's name that is
intended to harm the reputation of the real person of that name.
Similar issues arise in both: (1) fictitious From: addresses in
some unsolicited commercial e-mail, also called spam or junk e-mail,
and (2) fictitious source IP addresses in denial of service attacks.
1. Unauthorized Use
Unauthorized use of computers tends generally takes the following forms:
- Computer voyeur. The criminal reads (or copies) confidential
or proprietary information, but data is neither deleted nor changed.
In 1999, the Melissa virus infected
a [possibly confidential] document on a victim's computer, then
automatically sent that document and copy of the virus via e-mail
to other people. Subsequently, the
Klez malicious programs
made a similar release of [possibly confidential] documents
from a victim's computer. These malicious programs are a new way
to release confidential information from a victim's computer,
with the confidential information going not to the author
of the malicious program, but to some person unknown to the
author of the malicious program.
- Changing data. For example, change a grade on a school transcript,
add "money" to a checking account, etc. Unauthorized changing of data is
generally a fraudulent act.
- Deleting data. Deleting entire files could be an act of vandalism
- Denying service to authorized users. On a modern time-sharing
computer, any user takes some time and disk space, which is then
not available to other users. By "denying service to authorized users",
I mean gobbling unreasonably large amounts of computer time or disk space,
- by sending large amounts of junk e-mail in one day,
a so-called "mail bomb",
- by having the computer execute a malicious program that puts the
processing unit into an infinite loop,
- by flooding an Internet server with bogus requests for webpages,
thereby denying legitimate users an opportunity
to download a page and also possibly crashing the server.
This is called a denial of service
During 1950-1975, computer programs and data were generally stored on
cardboard cards with holes punched in them. If a vandal were to break into an
office and either damage or steal the punch cards, the vandal could be
adequately punished under traditional law of breaking and entering, vandalism,
However, after about 1975, it became common to enter programs and data from
remote terminals (a keyboard and monitor) using a modem and a telephone
line. This same technology allowed banks to retrieve a customer's current
balance from the bank's central computer, and merchants to process credit card
billing without sending paper forms. But this change in technology also meant
that a criminal could alter data and programs from his home, without physical
entry into the victim's building. The traditional laws were no longer adequate to
punish criminals who used computer modems.
Most unauthorized use of a computer is accomplished by a person in his home,
who uses a modem to access a remote computer.
In this way, the computer criminal is acting analogous to a burglar.
The classic definition of a burglary is:
In traditional burglaries, the felony was typically larceny,
an unlawful taking of another person's property.
However, in the unauthorized use of another's computer, the
criminal "enters" the computer via the telephone lines, which is not
breaking into the building. Either the burglary statute needed to be made
more general or new criminal statute(s) needed to be enacted for unauthorized
access to a computer. Legislatures chose to enact totally new statutes.
- the breaking and entering of a building with the intent to
commit a felony therein.
To successfully use a remote computer, any user (including criminals) must
have both a valid user name and valid password.
There are several basic ways to get these data:
- Call up a legitimate user, pretend to be a system administrator,
and ask for the user name and password. This sounds ridiculous,
but many people will give out such valuable information to anyone
who pretends to have a good reason. Not only should you refuse to
provide such information, but please report such requests to the
management of the online service or the local police, so they can be
alert to an active criminal.
- Search user's offices for such data, as many people post their
user name and password on the side of their monitor or filing cabinet,
where these data can be conveniently seen.
- Write a program that tries different combinations of
user names and passwords until one is accepted.
- Use a packet "sniffer" program to find user names
and passwords as they travel through networks.
- Search through a garbage bin behind the computer building in a university
or corporate campus, find trash paper that lists user names and
A disgruntled employee can use his legitimate computer
account and password for unauthorized uses of his employer's computer.
This can be particularly damaging when the disgruntled employee is the
computer system administrator, who knows master password(s) and can enter
any user's file area. Such disgruntled employees can perpetrate an
"inside job", working from within the employer's building, instead
of accessing a computer via modem.
The computer voyeurs, like petty criminals who peek in other people's windows,
generally hack into other people's computers for the thrill of it.
In the 1970s and early 1980s, many of these computer voyeurs also
used technology to make long-distance telephone calls for free,
which technology also concealed their location when they were hacking
Many of these voyeurs take a special thrill from hacking into
military computers, bank computers, and telephone operating system
computers, because the security is allegedly higher at these computers,
so it is a greater technical challenge to hack into these machines.
The criminals who change or delete data, or who deliberately gobble large
amounts of computer resources, have a more sinister motive and are
capable of doing immense damage.
Of course, there is always the possibility that a computer voyeur will
"accidentally" bumble around an unfamiliar system and cause appreciable
damage to someone else's files or programs.
Traditional criminal law in the USA places a great deal of emphasis on
willful or intentional conduct, so such "accidental" damage would not
satisfy the traditional requirement of mens rea
(literally "guilty mind" or criminal intent).
My personal opinion is that someone who deliberately hacks
into someone else's computer should be accountable under criminal law
for whatever damage is done by the unauthorized hacking,
even if the damage is "accidental".
In this regard, I would make an analogy to a homicide that occurs
"accidentally" during the commission of a felony:
the perpetrators are then charged with "felony murder":
the intent to commit the hacking constitutes the malice or intent
to cause the damage.
In the 1970s and early 1980s, a common reaction was that hackers
were a minor nuisance, like teenagers throwing rolls of toilet paper
into trees. Then, in August 1983, a group of young hackers
in Milwaukee hacked into a computer at the Sloan-Kettering Cancer
Institute in New York City. That computer stored records of cancer
patients' radiation treatment. Altering files on that computer
could have killed patients, which reminded everyone that
hacking was a serious problem.
This 1983 incident was cited by the U.S. Congress
in the legislative history of a federal computer crime statute.
S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480.
There is an interesting case under California state law for a criminal who
improved his clients' credit rating.
People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).
In recent years, there have been a large number of attacks on
websites by hackers who are angry with the owner of the website.
Victims of such attacks include various U.S. Government agencies,
including the White House and FBI.
Attacking the FBI website is like poking a lion with a stick.
In a typical attack, the hacker will delete some pages or graphics,
then upload new pages with the same name as the old file, so that
the hacker controls the message conveyed by the site.
This is not the worst kind of computer crime. The proper owner of the
site can always close the website temporarily, restore all of the files
from backup media, improve the security at the site, and then re-open the site.
Nonetheless, the perpetrator has committed a computer crime
by making an unauthorized use of someone else's computer or
The Internet is a medium for freely sharing information and opinions.
However the criminals who trash other people's websites are acting
as self-appointed censors who deny freedom of speech to those with whom
they disagree. These criminals often make the self-serving excuse
for their actions that they only attack sites sponsored by bad corporations
or bad people. However, this excuse makes these criminals into vigilantes
who serve as legislature, judge, jury, and executioner:
arrogantly determining what is in the best interests of society.
One example of punishment for the crime of defacing a website
is the case of Dennis M. Moran.
On 9 March 2001, Moran (alias "Coolio"),
a high school dropout,
was sentenced in New Hampshire state court
to nine months incarceration and ordered to pay a total of US$ 15000
restitution to his victims for defacing two websites:
See the New Hampshire
- In November 1999, he defaced the website of DARE America,
an organization that campaigns against use of illicit drugs,
whose website was in Los Angeles, California.
- In February 2000, he defaced the website of RSA Security in
- In February 2000, he made "unauthorized intrusions" into computers
at four different U.S. Army and Air Force installations.
Denial of Service (DoS) Attacks
A denial of service attack occurs when an Internet server
is flooded with a nearly continuous stream of bogus requests for webpages,
thereby denying legitimate users an opportunity
to download a page and also possibly crashing the webserver.
Criminals have developed a simple technique for executing a distributed
This may sound sophisticated, but the remote-control programs,
and instructions for using them,
are readily available from many pro-hacker websites since June 1999.
Tips for Avoiding Computer Crime, has specific
suggestions for how you can use firewall software on your computer
to prevent your computer from being used by criminals
in DoS attacks on victims.
- The criminal first plants remote-control programs on dozens of computers
that have broadband access to the Internet. The remote-control
program will, at the command of the criminal,
issue a nearly continuous series of pings
to a specified victim's website.
- When the criminal is ready to attack, he instructs the
programs to begin pinging a specific target address.
The computers containing the remote-control programs act as
- The victim computer responds to each ping, but because the
zombie computers gave false source addresses for their pings,
the victim computer is unable to establish a connection with
the zombie computers. Because the victim computer waits for a response
to its return ping, and because there are more zombie computers
than victims, the victim computer becomes overwhelmed and either
(a) does nothing except respond to bogus pings or (b) crashes.
- Typically, after one or two hours, the criminal instructs his
programs to stop pinging the victim.
This brief duration is not because the criminal is a nice person,
but because long-duration attacks make it easier for engineers
at the victim's website to promptly trace the source of the attacks.
Another kind of DoS attack uses a so-called "ping of death"
to exploit bugs in software on webservers.
during three weeks in February 2001,
showed that there are about 4000 DoS attacks each week.
Most DoS attacks are neither publicized in the news media
nor prosecuted in courts.
a senior security engineer at the University of Washington
and expert on Unix system administration, has posted
a large collection of
to resources on distributed DoS attacks.
The following is one case involving a famous series of DoS attacks:
The above facts are taken from reports at
and the sentence is reported at
- The Yahoo website was attacked at 10:30 PST on Monday,
7 Feb 2000. The attack lasted three hours.
Yahoo was pinged at the rate of one gigabyte/second.
- The websites of amazon.com buy.com cnn.com
eBay.com were attacked on Tuesday, 8 Feb 2000.
Each attack lasted between one and four hours.
CNN reported that the attack on its website was the first major attack
since its website went online in August 1995.
- The websites of E*Trade, a stock broker, and ZDNet, a computer
information company, were attacked on Wednesday, 9 Feb 2000.
- About fifty computers at Stanford University, and also computers at
the University of California at Santa Barbara, were amongst the zombie
computers sending pings in these DoS attacks.
- The attacks received the attention of President Clinton and the U.S.
Attorney General, Janet Reno. The FBI began to investigate.
news report posted at 18:44 EST on 9 Feb 2000
quotes Ron Dick of the FBI's National Infrastructure Protection
Center as saying "A 15-year-old kid could launch these attacks.
It doesn't take a great deal of sophistication to do."
- His remark was prophetic, because, on 18 April 2000, a
15-year-old pupil in Montréal Canada was arrested and charged
with two counts of "mischief to data" arising from his DoS attack on CNN.
Because he was a juvenile, his name can not be publicly disclosed,
so he was called by his Internet pseudonym Mafiaboy.
The Royal Canadian Mounted Police seized Mafiaboy's computer.
reported that Mafiaboy was granted bail, with the following conditions:
- "may only use computers under the direct supervision of a teacher."
- "prohibited from connecting to the Internet"
- prohibited from entering "a store or company where computer
services or parts are sold."
- "barred from communicating with three of his closest friends."
- On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with
54 counts of illegal access to computers, plus a total of ten counts
of mischief to data for his attacks on
Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo.
Mafiaboy had also attacked other websites, but prosecutors decided that
a total of 66 counts was enough. Mafiaboy pled not guilty.
- In November 2000, Mafiaboy's bail was revoked, because he
skipped school in violation of a court order. He spent two weeks in jail.
- In December 2000, Mafiaboy, now 16 y old, dropped out of school
(after being suspended from school six times since the beginning of that
academic year, and failing all of his classes except physical education),
and was employed at a menial job. He was again granted bail.
- On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data
and 51 counts of illegal access to computers. As part of a plea agreement
between his attorney and prosecutors, the prosecution dismissed the
remaining ten counts.
- On 20 June 2001, a social worker reported to the court that Mafiaboy
"shows no sign of remorse" and "he's still trying to justify what
he did was right."
- On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a
juvenile detention center, then spend one year on probation.
Because Mafiaboy was a child at the time of his crime,
the maximum sentence that he could have received
would be incarceration for two years.
In issuing the sentence, Judge Gilles Ouellet commented:
- This is a grave matter. This attack weakened the entire
electronic communications system. And the motivation was
undeniable, this adolescent had a criminal intent."
2. malicious computer programs
The following are general terms for any computer program that is designed to
harm its victim(s):
Malicious computer programs are divided into the following classes:
- malicious code
- malicious program
- malware (by analogy with "software")
- rogue program
- A virus is a program that "infects" an executable file.
After infection, the executable file functions in a different way
maybe only displaying a benign message on the monitor,
maybe deleting some or all files on the user's hard drive,
maybe altering data files.
There are two key features of a computer virus:
- the ability to propagate by attaching itself to executable files
(e.g., application programs, operating system, macros, scripts,
boot sector of a hard disk or floppy disk, etc.)
Running the executable file may make new copies of the virus.
- the virus causes harm only after it has infected an
executable file and the executable file is run.
The word "virus" is also commonly used broadly to include computer viruses,
worms, and Trojan Horse programs. For example,
so-called "anti-virus software" will remove all three classes
of these malicious programs.
Beginning with the Melissa virus in 1999, viruses could automatically
send e-mail with the victim's name as the alleged source.
- A worm is a program that copies itself.
The distinction between a virus and worm, is that a virus never
copies itself a virus is copied only when the infected executable
file is run.
In the pure, original form, a worm neither deleted nor changed
files on the victim's computer the worm simply made
multiple copies of itself and sent those copies from the victim's
computer, thus clogging disk drives and the Internet with
multiple copies of the worm.
Releasing such a worm into the Internet will
slow the legitimate traffic on the Internet, as continuously
increasing amounts of traffic are mere copies of the worm.
Beginning with the Klez worm in early 2002, a worm
could drop a virus into the victim's computer. This kind of
worm became known as a blended threat,
because it combined two different types of malicious code.
- A Trojan Horse is a deceptively labeled program that
contains at least one function that is unknown to the user
and that harms the user.
A Trojan Horse does not replicate, which distinguishes
it from viruses and worms.
Some of the more serious Trojan horses allow a hacker to
remotely control the victim's computer, perhaps to collect
passwords and credit card numbers and send them to the hacker,
or perhaps to launch denial of service attacks on websites.
Some Trojan Horses are installed on a victim's computer by
an intruder, without any knowledge of the victim. Other Trojan
Horses are downloaded (perhaps in an attachment in e-mail)
and installed by the user, who intends to acquire a benefit
that is quite different from the undisclosed true purpose
of the Trojan Horse.
- A logic bomb is a program that "detonates" when some event occurs.
The detonated program might stop working (e.g., go into an infinite loop),
crash the computer, release a virus, delete data files,
or any of many other harmful possibilities.
A time bomb is a type of logic bomb, in which
the program detonates when the computer's clock reaches some target date.
- A hoax is a warning about a nonexistent malicious program.
I have a separate essay
that describes how to recognize hoaxes, and how to respond to them.
Some confusion about the distinction between a virus and
a worm is caused by two distinctly different criteria:
For most viruses or worms, these two different criteria give
the same result. However, there have been a few malicious programs
that might be considered a virus by some and a worm by others.
Ultimately, the taxonomy matters only to computer scientists
who are doing research with these malicious programs.
- a virus infects an executable file, while a worm is a
- a virus requires human action to propagate (e.g., running
an infected program, booting from a disk that has infected boot sectors)
even if the human action is inadvertent,
while a worm propagates automatically.
The first computer virus found "in the wild" was written in 1986
in a computer store in Lahore, Pakistan.
In the 1980s, computer viruses were generally spread by passing floppy
disks from one user to another user.
In the late 1990s, computer viruses were generally spread via the Internet,
either in e-mail (e.g., a virus contained in a Microsoft
Word macro, or a worm contained in an attachment to e-mail)
or in programs downloaded from a website.
The distribution of viruses via the Internet permitted a much more
rapid epidemic, so that more computers could be infected in a shorter
time than when floppy disks were used to spread the infection.
The first prosecution under the Federal computer crime statute,
18 USC § 1030,
was for a release of a worm. Robert Tappan Morris,
then a graduate student in computer science at Cornell University,
released his worm into the
Internet on 2 Nov 1988. The worm rapidly copied itself and
effectively shut down the Internet. Morris was convicted of
violating 18 USC §1030 in 1990 and the conviction was
upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991),
cert. denied, 502 U.S. 817 (1991).
My long discussion of a few famous malicious programs is in a separate
essay, emphasizes the
nonexistent or weak punishment of the authors of these programs.
There is a reported case under state law for inserting a logic bomb
into custom software.
Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"justification" for malicious programs
Designing and releasing malicious computer programs is not
only unethical, but also unlawful.
However, some people defend the authors of malicious code
by offering one or more of the following justifications:
- The malicious code exposes security flaws in operating
systems and applications software.
- There is no doubt that the publicity surrounding an epidemic
of a virus or worm increases awareness of security flaws.
However, this incidental benefit does not justify
the more than US$ 106 cost to clean
the malicious code from more than a thousand infected computers.
- Regardless of any benefits to society, a worm or virus
is still an unauthorized access of a person's
- A rational and socially acceptable response to discovering
a security flaw is to privately notify the software vendor
that issued the flawed software. That vendor can then develop
a patch and, when the patch is ready for public distribution,
the vendor can inform system administrators.
In that way, the vulnerability is not publicly disclosed for criminals
to exploit before the patch is available.
- Computer viruses and worms have been widely known since 1988.
Despite this awareness, infection reports continue to show
that viruses and worms that are more than one year
old are continuing to propagate. This result shows that either
computer users are not routinely updating their anti-virus software
to protect against the most recent threats or
computer users are continuing to operate infected machines,
which continue to spew viruses and worms via e-mail.
So, even if one accepts the reasoning that
malicious code is desirable because it increases awareness
of security issues, the increased awareness is practically
ineffective, hence this "justification" fails.
- Worse, the publicity about security vulnerabilities may encourage
additional people to release malicious programs.
For example, a number of copycat variants appear soon after
a major new malicious program is reported in the news media.
Such malicious programs, as well as tool kits for generating
new malicious programs, are easily available from many hacker websites.
Only minimal computer skills are required to produce and release
a malicious program.
- Low pressure in automobile tires causes tire failure, which,
in turn, causes automobile accidents. Would it be reasonable
for someone to walk around in the parking lot, letting some air out
of tires, so tires are seriously underinflated, with the
justification that the ensuing accidents will call attention
to the problem of underinflated tires? This justification
is ludicrous in the context of automobile tires and it is
no better in the context of computer security.
- It is the victim's fault if they are infected by a worm or virus
that exploits a known security flaw, for which a patch is available.
- It is certainly a good idea to install patches or updates
for the software that one uses. However, failure to install
such patches or updates is not an invitation to criminals
to attack a victim's computer.
- Prof. Spafford said:
- To attempt to blame these individuals [i.e., computer systems
administrators] for the success of the Worm is equivalent
to blaming an arson victim because she didn't build her
house of fireproof metal.
- Eugene H. Spafford, The Internet Worm Incident,
Purdue University Computer Science Department Technical Report
at page 15, 19 Sep 1991.
- There is no legal obligation in criminal law for a victim to use the
latest or best computer hardware and software.
Simply: a victim neither invites nor consents to
a crime. However, if a
victim were to sue the author of malicious code in tort,
then the victim's alleged negligence would be a proper legal issue.
It is important to distinguish
criminal law from torts, which are part of civil law.
- It is ok if the author of the malicious code does not
alter or delete any of the victim's data files.
No. The victim is still harmed by the cost of removing
the malicious program, the costs of lost productivity
during the removal of the malicious program,
possible exposure of confidential information (e.g., either
to a hacker who examines data files via a Trojan Horse program,
or a malicious program that sends a document on the victim's computer
to potential future victims), among other possible harms.
Furthermore, the privacy and property rights
of the victim have been violated by the author of malicious code.
Any unauthorized access of a computer is, or should
be, criminal, regardless of the perpetrator's intent once inside
- The virus/worm was a laboratory experiment gone awry.
The Internet, including e-mail, is neither a laboratory
nor a playground. Scientists, engineers, professors,
businesses, governments, etc. depend on the routine
functioning of the Internet for their work,
distributing information, and for other public services.
Anyone wishing to play with viruses or worms should use
a quarantined system that is not connected to the Internet.
An "experimenter" must not create a big mess that requires
computer system administrators worldwide to devote much time to remove.
In considering the actions of Morris, a graduate student
at Cornell who released his worm into the Internet, a commission of
five Cornell professors said:
- This was not a simple act of trespass analogous to wandering
through someone's unlocked house without permission[,] but with no
intent to cause damage.
A more apt analogy would be the driving of a golf cart on
a rainy day through most houses in a neighborhood.
The driver may have navigated carefully and broken no china,
but it should have been obvious to the driver that the mud on the
tires would soil the carpets and that the owners would later
have to clean up the mess.
- Theodore Eisenberg, David Gries, Juris Hartmanis, et al.,
The Computer Worm, A Report to the Provost of Cornell University ...,
p. 7 (see also p. 40), Feb 1989.
Summary reprinted in Communications of the ACM,
Vol. 32, pp. 706-709, June 1989.
Summary also reprinted in Peter J. Denning, editor,
Computers Under Attack, Addison-Wesley Publishing Co., 1990.
The above quote is on page 258 of Denning's book.
It is self-serving to associate a criminal's actions with the
prestige of a scientist who does an experiment.
Scientists follow a professional code of ethics, in addition
to behaving in a lawful way, and avoid harming other people.
Scientists work together in a collegial way, with implicit
trust. As pointed out by Eisenberg, et al. in
The Computer Worm, pages 7, 25, 41,
releasing malicious code is a violation of trust.
- The virus/worm was "accidentally" released.
First, there is no acceptable reason to create malicious software that
alters or deletes data files from the victim's hard disk,
releases confidential information from the victim's computer
along with a copy of the virus/worm to potential future victims,
attempts to disable anti-virus software on the victim's computer,
or any of the other harms that have been observed in real
malicious programs. There is no rational reason to write a program
that one intends never to use.
Second, if one writes such a destructive program, then one must
use extraordinary care (i.e., the same care that one takes with
toxic chemicals, explosives, highly radioactive materials, etc.)
to make certain that the program is never released.
Society ought to demand that those who release malicious programs,
even if the release is an "accident", be held legally responsible for the
damage caused by their malicious programs.
- The author of the virus/worm did not know how rapidly
the virus/worm would propagate.
In my companion essay on Examples of Malicious Computer
Programs, I explained why this excuse is
- Although not a common excuse offered by defenders of an author
of a malicious computer program, the author himself often
seems to believe that
his virus/worm is proof of his programming ability.
However, careful examination of famous malicious programs that have caused
extensive damage shows that these programs
commonly contain many programming errors (so-called "bugs").
Such bugs often prevent a malicious program from causing
more damage; sometimes bugs make a program worse than its author
probably intended. Either way, a program full of bugs
is not evidence of programming skill. And, more importantly,
someone who writes malicious programs is a criminal, not
the type of person who an ethical employer would want to hire.
Such specious excuses for authors of malicious code were
fairly common from professional programmers in the 1980s,
but are less frequent now.
The worm released into the Internet by Robert Morris in Nov 1988
seems to have jolted most computer professionals into realizing
that ethics and law are essential to the computer profession.
Now, specious excuses are mostly offered by criminals and their attorneys.
3. Harassment & Stalking
In general, the harasser intends to cause emotional distress
and has no legitimate purpose to his communications.
Harassment can be as simple as continuing to send e-mail to someone
who has said they want no further contact with the sender.
Harassment may also include threats, sexual remarks, pejorative labels
(i.e., hate speech).
A particularly disturbing form of harassment is sending a forged
e-mail that appears to be from the victim and contains
racist remarks, or other embarrassing text, that will tarnish the
reputation of the victim.
It is often difficult to get law enforcement personnel and prosecutors
interested in harassment, unless threats of death or serious
bodily harm are made, simply because the resources of the criminal
justice system are strained by "more serious" criminal activities.
I put "more serious" in quotation marks, because the victim of
harassment certainly is adversely affected by the harassment, therefore
it is a serious matter to the victim.
But the law treats harassment as a misdemeanor, the group of less
4. Weak Punishment in USA
I have a general concern about the inability of the criminal justice
system to either deter criminal conduct or protect society.
This concern is particularly acute in the area of computer crime,
where immense damage is being done to corporations by computer
viruses and worms. Public safety is threatened by criminals who hack into
the telephone system and crash 911 services, among other examples.
There are many theories that justify punishment of criminals.
While severe punishment may not deter criminal conduct, punishment
does express the outrage of decent society at criminal conduct.
One of the earliest reported cases in federal courts in the USA
on computer crime was that of Robert Riggs.
U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990),
743 F.Supp. 556 (N.D.Ill. 1990),
aff'd, 967 F.2d 561 (11thCir. 1992).
Riggs was first convicted in 1986 for his unauthorized use of
a computer and was sentenced to a mere 15 days of community service
and placed on probation for 18 months.
967 F.2d at 562.
In 1990 Riggs was indicted again for making unauthorized access to
computers, during which he stole proprietary information from a telephone
company. This time he was sentenced to 21 months in prison,
followed by two years of "supervised release"
during which time he was forbidden to either
own or use any computer for his personal use.
Riggs was allowed to use computers in his employment, if supervised
by someone. This sentence was upheld on appeal.
967 F.2d at 563.
In March 1997, a young hacker disabled the telephone service
at the Worcester, Massachusetts airport for six hours,
which disabled the air-traffic control system and other critical services.
This same hacker also copied patients' records from a computer
in a pharmacy on four separate occasions in January, February, and March 1997.
This hacker was the first juvenile to be prosecuted
by the U.S. Government for computer crime.
He pled guilty and was placed on probation for
two years, was ordered to provide 250 hours of community service,
and forfeited all of the computer equipment used during his criminal
I have a long discussion of a few famous malicious programs
and the legal punishment of their authors in a separate
The point made in that essay is that, out of approximately 61000
malicious programs for the Microsoft Windows operating system,
there have been arrests and convictions of the author(s) of
only five malicious programs:
Except for the author of the Pathogen virus, each of these criminals
received very light punishment.
- the author of a worm released in 1988,
- the author and distributors of the MBDF virus,
- the author of the Pathogen virus,
- the author of the Melissa virus, and
- the author of the Anna worm.
5. Computer Crime Statutes in USA
There are many federal statutes in the USA that can be used
to prosecute computer criminals:
- 15 USC § 1644, prohibiting fraudulent use of credit cards
- 18 USC § 1029, prohibiting fraudulent acquisition of
- 18 USC § 1030, prohibiting unauthorized access to any
computer operated by the U.S. Government, financial
institution insured by the U.S. Government,
federally registered securities dealer, or foreign bank.
- 18 USC § 1343, prohibiting wire fraud
- 18 USC § 1361-2, prohibiting malicious mischief
- 18 USC § 1831, prohibiting stealing of trade secrets
- 18 USC § 2314, prohibiting interstate transport of
stolen, converted, or fraudulently obtained material;
does apply to computer data files
U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
- 18 USC § 2319 and 17 USC § 506(a), criminal violations
of copyright law
- 18 USC § 2510-11, prohibiting interception of electronic communications
- 18 USC § 2701, prohibiting access to communications
stored on a computer (i.e., privacy of e-mail)
- 47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USA
There is wide variation in state statutes on computer crime in the USA:
in my opinion, most state statutes are not adequate to punish
California, Minnesota, and Maine are among the few states
to prohibit explicitly release of
a computer virus or other malicious program.
California Statutes, Title 13 (Penal Code),
§§ 502(b)(10) and 502(c)(8).
Minnesota Statutes, §609.87(12) and §609.88(1)(c).
Maine Statutes, 17-A (Criminal Code), § 433(1)(C).
In states without an explicit statute, release of a malicious program
would probably be prosecuted as "malicious mischief".
California also provides for the forfeiture of computer systems
used in the commission of a computer crime. If the defendant is a
minor, the parents' computer system can be forfeited.
California Statutes, Title 13 (Penal Code),
§§ 502(g) and 502.01(a)(1)
In November 1996 and July 1997,
I made comprehensive searches of the WESTLAW databases
of reported cases in both state and federal courts in the USA
on computer crimes. I was surprised to find that,
in sharp contrast to most other areas of law,
there was very little reported case law
on computer crimes, except obscenity cases.
I have the impression that most computer criminals who are
apprehended plead guilty to a lesser offense (a so-called
"plea bargain") and avoid a trial. Plea bargains are
common the U.S.A., as they dispose of cases without large investments
of prosecutorial and judicial time. In the specific area of computer
crimes, prosecuting such a case would be difficult for prosecutors, because
the jury would need to learn about complex technical matters.
In addition to making life easier for prosecutors and judges,
many victims (particularly banks and other corporations)
may be embarrassed to admit that some teenager defeated their
security features, thus these victims refuse to testify in court.
6. sue in tort
In addition to any criminal penalties,
victim(s) of computer crimes can sue the perpetrator in tort.
For example, unauthorized use of a computer system could be
"trespass on chattels". A computer voyeur might also be sued in tort for
invasion of privacy or disclosure of a trade secret.
A harasser might be sued in tort for intentional infliction of
There is also the possibility of a class action by corporate
and personal victims against a person who wrote and initially
released a computer virus.
The downside of such tort litigation is that the
perpetrators are generally young people (often between 12 and 25 years
of age) and have little assets that could be seized immediately to satisfy a judgment.
On the other hand, judgments in the USA are generally valid for 20 years,
so future income of the wrongdoer can be used to satisfy the judgment.
Moreover, the publicity surrounding such a trial might
impress potential hackers with the seriousness of such wrongful conduct
and deter other potential hackers. In addition, such trials
might express the outrage of society at the behavior of hackers.
Defendants between 7 and 14 y of age may be sued in tort, but their
duty of care is generally less than an adult's duty.
There is one exception, when children engage in an
adult activity (e.g., fly an airplane),
the law imposes an adult's duty of care on the child.
Restatement (Second) Torts, § 283A, comment c (1965).
In my opinion, there are good reasons why
computer programming (e.g., design of a virus) or
hacking qualifies as an "adult activity". However, there
appear to be no reported court cases in the USA
that have decided this issue.
There is another remedy in civil law, besides damages awarded
in tort litigation:
a victim can get a temporary restraining order (TRO),
then an injunction,
that enjoins continuance of wrongs
(e.g., disclosure of proprietary or private data)
that will cause irreparable harm or for which there is
no adequate remedy at law.
One of the functions of the criminal justice system is to deter
crime by other people.
Journalists play an important role in this deterrence by reporting
on the crime (and how people were harmed), arrest, trial, and
sentence of the guilty criminals. One hopes that people contemplating
computer crimes will read these
reports by journalists, and say to themselves: "I should not
write a computer virus, because I don't want to be put in prison
like David Lee Smith,"
the author of the Melissa virus.
However, reports of computer crime by journalists are less than
- Journalists often glorify or praise the criminal suspect,
by admiring his programming "talent", or even calling him a "genius".
In the 1980s, most hackers committed fraud
to get a username and password for a computer account, and then
logged on to the computer without proper authorization, and
browsed through files, copying some, deleting or altering others.
Such work does not require any knowledge of computer programming,
just a rudimentary knowledge of a few operating system commands.
Since 2000, authors of malicious programs use resources readily
available on the Internet to create a "new" computer virus or worm,
or launch a denial of service attack.
Again, such activities do not demonstrate a high level of
proficiency in computer programming.
It is an anti-social act for journalists to praise the exploits of hackers:
hackers are criminals who deserve scorn and ostracism.
And when hackers are publicly praised as geniuses, the wrong message
is sent to serious students in computer science who behave ethically
and who are ignored by journalists, despite the fact that the
students are both smarter and more ethical than hackers.
- I have noticed that many online newspapers:
If punishment is to have a deterrent effect on other people,
then the coverage of the trial, verdict, and sentence must be increased.
- devote considerable space to reporting the crime when
- describe the arrest of the criminal suspect in detail,
- but the trial of the suspect receives less attention from journalists,
- and the verdict and sentence often go unreported
in the media.
Aside from my main point about deterrence of future crimes,
by reporting of sentencing and punishment of computer criminals,
there is another issue. The widespread reporting of the crime
and the arrest of a suspect tarnishes the name of the suspect,
by linking the crime and the suspect's name in people's minds.
However, the suspect might later be found not guilty of the crime.
The lack of reporting of the trial and its outcome provides
no opportunity for an innocent suspect to rehabilitate his good name.
- Part of the problem is that many journalists who write about
computer crime are themselves computer-illiterate.
(Their ignorance shows in the technical mistakes made in their articles.)
From the perspective of a computer-illiterate journalist,
the work of a computer criminal may indeed be incomprehensible.
Arthur C. Clarke said anything sufficiently advanced appears as magic.
That may be, but it is unprofessional for journalists to write
on subjects that they do not personally understand.
News media hire journalists who understand economics and finance
to report business news, and journalists who understand sports
to report on sports, so why can't the news media hire journalists
who understand computers to report on computer crime?
The fundamental issue in most computer crime is the criminals'
lack of respect for the property or privacy of other people.
I hope that society will recognize the seriousness of computer crime
and demand more severe punishment for such criminals.
this document is at http://www.rbs2.com/ccrime.htm
My last search for case law on computer crime was in July 1997.
21 June 1999, revised 4 Sep 2002
Tips for Avoiding Computer Crime,
which essay includes
links to websites
on computer viruses, computer crime, and related topics, plus
a list of good books on computer crime.
My discussion of a few famous malicious programs and the nonexistent
or lenient punishment of their authors are contained in my separate
return to my homepage